Control Change and Prevent Malware on Windows Server 2008R2

Much has been said and written about AppLocker since its introduction in Windows 7. Microsoft primarily positions the tool as a way to lock down the applications that run on desktop computers, and while the tool has its fans for that use; it also has its detractors. Maintaining an organization-wide inventory of all the desktop software you use is difficult, and AppLocker’s relatively primitive tools don’t make it an easy task.

That said, clients aren’t the only computers on our networks, and the exact conditions that make AppLocker more complicated to use with clients can make it a real winner on servers. With clients, AppLocker becomes complex because we have so many applications, users are always after a one-off or temporary exception, and no matter how homogeneous we try to make our clients, little unique differences always crop up over time. Servers, on the other hand, are almost exactly the opposite: We know exactly what’s running on them, that list of software rarely changes, and when it does change it tends to do so as part of a controlled change process. So AppLocker might be perfect for helping to control change on our servers, as well as prevent malware.